US9613210B1ActiveUtility

Evaluating malware in a virtual machine using dynamic patching

91
Assignee: PALO ALTO NETWORKS INCPriority: Jul 30, 2013Filed: Jul 30, 2013Granted: Apr 4, 2017
Est. expiryJul 30, 2033(~7.1 yrs left)· nominal 20-yr term from priority
G06F 21/566G06F 9/45533G06F 21/56G06F 2009/45587G06F 9/45558
91
PatentIndex Score
13
Cited by
216
References
38
Claims

Abstract

Analysis of potentially malicious software samples in a virtualized environment is disclosed. One or more modifications are applied to a first virtual machine instance. The first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. Further, at least one modification includes the installation of startup instructions. The modified virtual machine instance is stared. A first set of modifications resulting from executing the first virtual machine instance is captured.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system, comprising:
 a processor configured to:
 initialize, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance; 
 apply one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation of startup instructions, and wherein at least one modification is associated with the installation of a honey file; 
 start the modified virtual machine instance, including by executing a selected first sample within the started virtual machine instance; 
 capture a first set of modifications resulting from executing the first virtual machine instance; and 
 determine, based at least in part on an analysis of the captured modifications that the selected first sample is malicious; and 
 
 a memory coupled to the processor and configured to provide the processor with instructions. 
 
     
     
       2. The system of  claim 1  wherein the processor is further configured to capture network traffic associated with executing the first virtual machine instance. 
     
     
       3. The system of  claim 1  wherein applying at least one modification includes directly accessing a guest file system associated with the first virtual machine instance. 
     
     
       4. The system of  claim 1  wherein at least modification is associated with the installation of an application. 
     
     
       5. The system of  claim 1  wherein at least one modification is associated with the installation of a kernel hook. 
     
     
       6. The system of  claim 1  wherein at least one modification is associated with the installation of a user level hook. 
     
     
       7. The system of  claim 1  wherein at least one modification is associated with a modification to an identifier for use by the virtual machine instance. 
     
     
       8. The system of  claim 7  wherein the identifier comprises a MAC address for use by the virtual machine instance. 
     
     
       9. The system of  claim 7  wherein the identifier comprises a product identifier of an operating system. 
     
     
       10. The system of  claim 1  wherein the first sample is referenced in the startup instructions. 
     
     
       11. The system of  claim 1  wherein the processor is further configured to copy the original virtual machine image to a RAM disk as part of an initialization. 
     
     
       12. The system of  claim 1  wherein the first virtual machine instance is an overlay of the original virtual machine image. 
     
     
       13. The system of  claim 1  wherein the first virtual machine instance is an overlay of a hierarchy of virtual machine images, wherein the original virtual machine image comprises the root of the hierarchy. 
     
     
       14. A method, comprising:
 initializing, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance; 
 applying one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation of startup instructions, and wherein at least one modification is associated with the installation of a honey file; 
 starting the modified virtual machine instance, including by executing a selected first sample within the started virtual machine instance; 
 capturing a first set of modifications resulting from executing the first virtual machine instance; and 
 determining, based at least in part on an analysis of the captured modifications that the selected first sample is malicious. 
 
     
     
       15. The method of  claim 14  wherein applying at least one modification includes directly accessing a guest file system associated with the first virtual machine instance. 
     
     
       16. The method of  claim 14  wherein at least modification is associated with the installation of an application. 
     
     
       17. The method of  claim 14  wherein at least one modification is associated with the installation of a hook. 
     
     
       18. The method of  claim 14  wherein at least one modification is associated with a modification to an identifier for use by the virtual machine instance. 
     
     
       19. A computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for:
 initializing, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance; 
 applying one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation of startup instructions, and wherein at least one modification is associated with the installation of a honey file; 
 starting the modified virtual machine instance, including by executing a selected first sample within the started virtual machine instance; 
 capturing a first set of modifications resulting from executing the first virtual machine instance; and 
 determining, based at least in part on an analysis of the captured modifications that the selected first sample is malicious. 
 
     
     
       20. A system, comprising:
 a processor configured to:
 initialize, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance; 
 apply one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation of startup instructions; 
 start the modified virtual machine instance, including by executing a selected first sample within the started virtual machine instance, wherein the first sample is referenced in the startup instructions; 
 capture a first set of modifications resulting from executing the first virtual machine instance; and 
 determine, based at least in part on an analysis of the captured modifications that the selected first sample is malicious; and 
 
 a memory coupled to the processor and configured to provide the processor with instructions. 
 
     
     
       21. The system of  claim 20  wherein the processor is further configured to capture network traffic associated with executing the first virtual machine instance. 
     
     
       22. The system of  claim 20  wherein applying at least one modification includes directly accessing a guest file system associated with the first virtual machine instance. 
     
     
       23. The system of  claim 20  wherein at least modification is associated with the installation of an application. 
     
     
       24. The system of  claim 20  wherein at least one modification is associated with the installation of a kernel hook. 
     
     
       25. The system of  claim 20  wherein at least one modification is associated with the installation of a user level hook. 
     
     
       26. The system of  claim 20  wherein at least one modification is associated with the installation of a honey file. 
     
     
       27. The system of  claim 20  wherein at least one modification is associated with a modification to an identifier for use by the virtual machine instance. 
     
     
       28. The system of  claim 27  wherein the identifier comprises a MAC address for use by the virtual machine instance. 
     
     
       29. The system of  claim 27  wherein the identifier comprises a product identifier of an operating system. 
     
     
       30. The system of  claim 20  wherein the processor is further configured to copy the original virtual machine image to a RAM disk as part of an initialization. 
     
     
       31. The system of  claim 20  wherein the first virtual machine instance is an overlay of the original virtual machine image. 
     
     
       32. The system of  claim 20  wherein the first virtual machine instance is an overlay of a hierarchy of virtual machine images, wherein the original virtual machine image comprises the root of the hierarchy. 
     
     
       33. A method, comprising:
 initializing, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance; 
 applying one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation of startup instructions; 
 starting the modified virtual machine instance, including by executing a selected first sample within the started virtual machine instance, wherein the first sample is referenced in the startup instructions; 
 capturing a first set of modifications resulting from executing the first virtual machine instance; and 
 determining, based at least in part on an analysis of the captured modifications that the selected first sample is malicious. 
 
     
     
       34. The method of  claim 33  wherein applying at least one modification includes directly accessing a guest file system associated with the first virtual machine instance. 
     
     
       35. The method of  claim 33  wherein at least modification is associated with the installation of an application. 
     
     
       36. The method of  claim 33  wherein at least one modification is associated with the installation of a hook. 
     
     
       37. The method of  claim 33  wherein at least one modification is associated with a modification to an identifier for use by the virtual machine instance. 
     
     
       38. A computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for:
 initializing, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance; 
 applying one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation of startup instructions; 
 starting the modified virtual machine instance, including by executing a selected first sample within the started virtual machine instance, wherein the first sample is referenced in the startup instructions; 
 capturing a first set of modifications resulting from executing the first virtual machine instance; and 
 determining, based at least in part on an analysis of the captured modifications that the selected first sample is malicious.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.